April 2, 2015

Karen DeSalvo M.D.

National Coordinator for Health Information Technology

Department of Health and Human Services

200 Independence Ave, S.W., Suite 729D

Washington, DC 20201

Re: Comments on “Connected Health and Care for the Nation.”

Dear Dr. DeSalvo:

Thank you for the opportunity to comment on the draft interoperability roadmap, “Connected Health and Care for the Nation”. We commend you, the staff of the Office of the National Coordinator (“ONC”), and the members of the advisory committees who support your work for your leadership in this effort. We look forward to working with you and our colleagues in industry over the next ten years to create a learning health system that will improve health, lower costs, empower patients and stimulate innovation.

We are especially pleased to share our thoughts about your plan, as nearly all of the questions it addresses were challenges Surescripts also faced when the company was created more than a decade ago with the goal to electronically route prescriptions, medication histories, and formulary/benefit information to points of care in providers’ offices and pharmacies. At the time, electronic prescribing was one of the pioneer health information technologies and, for most providers, it would become the first clinical technology adopted as they shifted from paper to electronic record sharing and messaging. There were no models from which to draw as we began the work of designing, building, and scaling an interoperable network. Over the years, we worked to develop and execute policies related to privacy and security, quality and safety, technical standards and certification, and governance—the very same issues your draft plan aims to address. Our comments on your proposal are based on learnings from our experience, which we hope will be of value as you finalize the Roadmap over the coming months.

Today, Surescripts operates the nation’s largest clinical health information network. We have moved beyond e-prescribing and support many forms of clinical messaging. We serve providers and patients in all 50 states and the District of Columbia and deliver over 700,000 clinical health transactions every hour. Every day, more than 70 percent of all office-based providers use our services on behalf of 3 million patients. We connect to 99 percent of all retail chain pharmacies in the country and we delivered over 1 billion prescriptions and 1 billion medication histories to providers this past year. Our provider directory contains over 900,000 prescribers and our Master Patient Index covers 270 million insured lives.

While the pace of our growth was accelerated by the two federal financial incentive programs – MIPPA and HITECH -- which created payments and penalties for adoption and utilization of e-prescribing -- we believe that our success is attributable to the value that Surescripts provides and the business model based on that value creation. Our founding owners -- the National Association of Chain Drug Stores (“NACDS”), the National Community Pharmacist Association (“NCPA”), Medco, Express Scripts, and Caremark[1] -- created Surescripts because there was a strong business case to do so. It is that element -- the need for a clear economic case -- that we believe has been the greatest barrier to system-wide interoperability within the current HIT ecosystem. That is why we support the payment reforms of the Department of Health and Human Services to move to a value based system of reimbursement.

We recognize there are technical impediments to interoperability in the system and we strongly support many of the recommendations made in the JASON report regarding changes to the HIT architecture. We currently are collaborating with other industry stakeholders to accelerate some of the JASON recommendations. But we remain convinced that even a perfectly designed architecture and wide-spread adoption of standards will not achieve an interoperable learning health system in the absence of a value proposition and corresponding business case for all of the system’s participants.

Attached are our responses to questions outlined in the Roadmap. We’ve limited our comments to those items we can address based on our learning and experience building a national interoperable network. It has been our privilege to collaborate with the Office of the National Coordinator over the past decade, and we look forward to continuing our work with you over the coming years.

Sincerely,

______

Paul L. Uhrig

EVP, Chief Administrative & Legal Officer

______

Mary Ann Chaffee

SVP, Policy and Federal Affairs

  1. Priority Use Cases

Submit three priority use cases from Roadmap list of 56 candidates:

We recommend the following three as highest priority use cases to inform priorities for the development of technical standards, policies and implementation specifications:

  1. Use Case #24: Benefits communication needs to be standardized and made available on all plans through HIT to providers and patients as they make health and healthcare decisions, in a workflow convenient to the decision-making process
  2. Use Case #3: The status of transitions of care should be available to sending and receiving providers to enable effective transitions and closure of all referral loops
  3. Use Case #33: Providers have the ability to query data from other sources in support of care coordination (patient generated, other providers, etc) regardless of geography or what network it resides in
  1. Governance

Recommendations on governance:

Surescripts has significant experience in creating a governance framework for the secure exchange of clinical information on a national scale among a wide and diverse set of participants. Our governance framework has created extensive, safe, and secure interoperability among a wide set of stakeholders. The model consists of contractual chains of trust and governance, certification and implementation requirements, on-going compliance and enforcement activities, and continued flexibility and responsiveness to industry needs. It has served us well by promoting interoperability and quality communications across the Surescripts network.

At the heart of the governance of a network are the rules of participation – in short:

  1. Who can connect to, and transact business on, the network;
  2. What are the prerequisites and conditions for connectivity, including, but certainly not limited to, security;
  3. How – what are the standards by which – Participants connect to the network;
  4. What message types can be transmitted; and
  5. What are the conditions of continued participation?

The Surescripts governance model has processes and procedures to:

1.Establish the rules of participation;

2.Disseminate the rules of participation;

3.Require compliance with the rules of participation;

4.Monitor compliance with the rules of participation; and

5.Take enforcement action in the event of a breach of a rule of participation.

We agree that a governance mechanism will help advance interoperability across all the diverse entities and networks that comprise the learning health system. We do not agree, however, that only one governance model, or one governance model with authority over other models, should prevail. We believe that one governance model, or one governance structure, that will attempt to govern all of the disparate stakeholders and the many issues involved in the safe and effective interoperability of systems will likely not succeed. We would recommend that ONC:

  1. Take steps to support and nurture the governance models that have been created, such as DirectTrust and Healtheway as just two examples, and encourage the development of other governance models that meet some of the principles described herein; namely transparency, openness to all, focus, and a defined mission and objective.
  1. Identify specific and focused issues that are so core and fundamental to nationwide interoperability that they would lend themselves to one governance model. We would suggest that ONC consider issues related to security and privacy, including, but not limited to, appropriate ID proofing and authentication of users, as issues that are so fundamental to the trust framework that we envision that they lend themselves to a coordinated governance model applicable to all.

A shared governance model can enable stakeholders to make collective decisions that will lead to an interoperable system. Any governance framework, however, must be open to all interested parties, or at least represent all, who choose to participate.

A governance framework also must encourage disparate and evolving business models and innovation. Governance frameworks that do not respect either the introduction of new and innovative market-driven business models or new and innovative technologies, processes, or policies will not lead to the learning health system that we aspire to.

However, we believe that one governance model, or one governance structure, that will attempt to govern all of the disparate stakeholders and the many issues involved in the safe and effective interoperability of systems likely will not succeed. Several governance models have already been successful in driving interoperability. Most notably, DirectTrust and Healtheway are examples of governance models, supported at the outset by ONC, that have brought together a common set of stakeholders to address specific interoperability issues. We believe these organizations have been successful because they have had specific mandates and focus. It is entirely appropriate that these organizations have different immediate goals and even different methods or standards to achieve these goals. They provide value and they are addressing market needs in a way that satisfies the needs of the participants. We are already beginning to see convergence and coordination among some of these existing interoperability initiatives. We believe that with ONC’s leadership, these initiatives could continue to align as needs dictate into a more clear, cohesive, coordinated effort. ONC has nurtured these specific efforts, and we would suggest that ONC nurture other efforts that address specific and focused needs in the industry.

We would recommend that ONC first and foremost focus its efforts on specific issues that transcend the various models that exist. We believe that the broader health IT community should identify the specific capabilities which require uniformity at the national-level and coordinate and build consensus around those issues. The actual governance structure and process should be based upon the issues that warrant national-level coordination. ONC must be clear as to what and who would be governed, and cannot disadvantage some to the benefit of others.

There are issues that may lend themselves to a common set of “rules of the road” that apply to almost all forms of interoperability. As noted in the Roadmap, the federal government has a role to play in establishing rules of the road that support consumer protection. We believe that ONC should identify specific and focused issues that are so core and fundamental to nationwide interoperability that they lend themselves to one governance model. We would suggest that ONC consider issues related to security and privacy, including, but not limited to, appropriate ID proofing and authentication of users, as issues that are so fundamental to the trust framework that we envision that they lend themselves to a coordinated governance model applicable to all. In our experience, the intractable issues that create barriers to interoperability and the flow of information across multiple participants relate to trust, or more appropriately the lack of trust, that everyone is adhering to the same standards with respect to security, privacy, and the use of data as it flows from one entity to another. For instance, it is axiomatic in the world of interoperability that we envision that everyone have assurance that a person claiming to be who they are is in fact who they are. Accordingly, ID proofing of users of systems is essential. It is our experience, however, that there are widely disparate understandings of what it means to ID proof, how to be compliance with applicable standards, such as NIST level II or NIST level III, or who are the best parties to do the appropriate ID proofing. We would suggest that this is one example of an area that would lend itself to a governance framework driven by the federal government.

We applaud ONC’s commitment to transparency. We would note, however, that certain matters do not lend themselves to transparency. For instance, ONC has suggested that participants in the electronic exchange of information should share or make public vulnerabilities in its security. All participants should be held to high standards with respect to privacy and security, but no responsible company would publish or make public, or should be compelled to make public, a report that could effectively be used as a roadmap by hackers or other persons with bad intent to compromise the security of patient information.

We also are concerned regarding the statements in the Roadmap that suggest that “no policy, business, operational, or technical barriers that are not required by law should be built to prevent information from appropriately flowing….” Leaving aside many laws are designed to prevent certain behavior rather than require certain behavior, we would suggest that there are many policies or operational requirements that are not required by law but are imposed for proper purposes, especially to protect the patient privacy and to ensure the security of patient data. The Roadmap should not presume that everypolicy, business, operational, or technical artifact that is not required by law is pernicious in intent or effect even though it could be construed by someone as a barrier.

We recommend that ONC maximize its unique role to convene and coordinate across existing standards development organizations (SDOs) and interoperability initiatives to foster consensus on the specific issues that need to be addressed at a national-level. Then, ONC may assess whether those issues are best addressed by coordination, communication, engagement or governance.

  1. Privacy and Security Protections

Comments on aspects of privacy protections:

Although the Roadmap discusses the need for states to review regulations and policies, it ignores the issue of 50 diverse statutory regimes governing use and disclosures of PHI. In our experience, competing state regulatory regimes have been a significant barrier to adoption and utilization. We recommend that consideration be given to amending HIPAA to create a more universally acceptable standard that would be used as the single regulatory regime, across all states, governing use and disclosure of PHI.

The Roadmap recommends that states begin revising regulations, policies and programs for granular choice to align with the“consensus categories” of sensitive health information. This both assumesthat there are in fact “consensus categories” across the 50 states. In our experience, the concept of “sensitive information” is fluid and such categories have changed and will continue to change as time goeson. We suggest that the recommendation be reexamined in the context of “consensus categories” that are not static. Further, we note that when discussing the need to provide patients with “Granular Choice,” the Roadmap does not address the issue of implementation costs.

Regarding patient matching, the Roadmap does not address the issue of anational patient identifier and why it should/should not be utilized. Our recommendation is for the Roadmap to acknowledge both the issue and the existence of Master Patient Indexes already in use at large scale across the country. As ONC develops a position on the question, we urge that any proposed data requirements not exceed capabilities for current industry solutions.

We believe that there is a need to educate patients as they become involved in making choices regarding how their information should be used. Patients should understand not only how and why theirinformation will be used and disclosed, but also why access to their PHIis important and/or the benefits of allowing such access. Particular focus should be placed on who will provide this education. It may be too onerous for providers to assume this task.

  1. Core Technical Standards and Functions

Which data elements in the proposed common clinical data set list need to be further standardized? And in what way?

In the case of public and population health, we suggest a different approach to data collection and exchange and one that Surescripts uses for our medication history service. The use of metadata with simple flags and counts would provide more efficient and useful information for researchers and policymakers who are interested in trends across populations. Methods should be developed to extract data from patient records and aggregate it for public use. This would eliminate the need to exchange entire records at the level of detail required by clinicians who are actually treating patients.

Do you believe the approach proposed for Accurate Individual Data Matching will sufficiently address the industry needs and address current barriers?

ONC and Standard Development Organizations (SDOs) should consider standardizing the minimum recommended data elements to be consistently included in all queries for patient clinical health information, and to be used to link patient clinical health information from disparate systems. We also recommend that individual data matching should focus on the quality of the information used in the match and that data elements involved in search should not be expanded.